The LTE standard defines a strong security model and architecture for protecting 4G mobile communications. However, it is yet very unclear how the various modems available on the market are implementing and enforcing the LTE security procedures.

In this paper, we first introduce the basics of LTE security. Then, we show multiple LTE security bypasses that we found in the different 4G modem implementations we tested. We also describe two issues we found in WCDMA stacks from our previous research. Finally, we dive into a few 4G modem implementations to see how they are interworking with the Android OS, and how one can try to get information out of them. To conclude, we propose improvements, on the terminal side but also on the network side, in order to increase the effective security level of 4G communications.

Slides are available in PDF here. The link on the right also contains PCAPs.